HIPAA security and compliance, or The Health Insurance Portability and Accountability Act, to those in the medical industry, seems to be nothing more than a mountain of administrative overhead and fines. There seem to be a million hoops to jump through and millions of dollars in fines for willful neglect. Actually, HIPAA compliance is simply a security framework designed for protecting the critical personal, health and financial information of patient. Specific to the healthcare industry, it requires every Covered Entity (CE) and Business Associate (BA) to protect patient’s Protected Health Information (PHI). The U.S. Health and Human Services Office for Civil Rights (OCR) enforces HIPAA, and the amounts in fines issued for non-compliance have continued to grow as the costs for breaches have dented the healthcare sector to the tune of an estimated $4B in 2019. In 2018 each stolen record cost an average of $408 per patient record, and it was nearly three times the cross-industry average. In 2019 that average went up to $429 per record.
When you think of all the rules and conditions that must be met, and the associated penalties, compliance is a four-letter word to many. But it doesn’t have to be. Let’s break things down into categories and simplify things to give a high-level view of what needs to be addressed.
HIPAA security and compliance falls into three primary categories: the HIPAA Privacy Rule, The HIPAA Security Rule, and the HIPAA Notification Rule. The HIPAA Privacy Rule identifies the data that must be protected. The HIPAA Security Rule describes how that data must be protected. And the HIPAA Notification Rule details the thresholds at which certain entities must be notified, which entities must be notified, and the deadlines for which these notifications must me made, should there be a breach.
The HIPPA Privacy Rule
1. The Privacy Rule defines Protected Health Information as any demographic data related to:
· An individual’s past, present, or future physical or mental health or condition
· Any healthcare treatments, prescriptions, etc.
· Any past, present, or future payments for healthcare provisions to the individual
This rule establishes standards that protect patients’ rights not only to confidentiality of their protected health information, but also their rights to access of their medical records for review and correction if necessary. Rules that determine restrictions and conditions under which information may be used or disclosed without patient authorization can be found here. There are also rules here that say that you are responsible for storage, protection and archiving of patient records, and that you must be able to provide them to patients upon request for a period of 6 years at a federal level. Some states may require a longer retention period.
The HIPAA Security Rule
2. The Seurity Rule categorizes regulations into three groups to ensure the PHI is properly protected.
· Administrative regulations
· Physical regulations
· Technical regulations
This is the meat and potatoes of your HIPAA security and compliance program. This is where the controls are defined and applied to keep PHI safe. Policies and software to control password complexity, building and device access, email and hard drive encryption, role-based access, remote access, sharing of information, event logging, records archiving, and even HIPAA compliance and security awareness training requirements and records are all contained here. Evidence of continued compliance with all requirements must be documented and presentable in the event of a breach or complaint resulting in audit.
The HIPAA Notification Rule
3. The Notification Rule categorizes breach severity according to the number of patients affected by the breach and sets standards for how and when notifications must be made. For Example:
· HIPAA data breaches affecting more than 500 people must be reported to the Department of Health and Human Services OCR “without reasonable delay” but within 60 days of discovery. A media source serving the state in which the affected patients are located must also be notified within 60 days of discovery of the breach. If more than 10 affected persons cannot be reached due to incomplete or out of date contact information, the company must post notice of the breach prominently on its website for a duration of 90 days.
· HIPAA breaches affecting less than 500 people must still be reported to the OCR, but must be reported within 60 days of the start of the new calendar year. There is also no requirement to notify the media of such breaches.
Having a well-developed Incident Response Plan (IRP) as part of your HIPAA documentation and overall Business Continuity Disaster Recovery (BCDR) plan gives you and your staff a roadmap to follow HIPAA Notification rules to the letter. Practicing execution of the plan on a regular basis prepares your organization to take immediate and decisive action in the event of the worst case scenario. This not only brings you into compliance with HIPAA mandates, but allows for a speedy recovery from incidents that can be crippling to companies who are unprepared when an incident occurs. It takes an average of 279 days to fully recover from a breach. This is partly because most companies who are breached due to having not sufficiently addressed security vulnerabilities have also, not surprisingly, not seen the need to prepare for and plan a course of action in the event of one.
The good thing about HIPAA compliance is that all the associated controls and policies required are things that we should all be doing anyway, and the benefits of strictly adhering to a well designed and implemented HIPPA security and compliance policy are many. While something as complex and comprehensive as compliance could never be fully simplified down to a checklist, a checklist can still be very useful for developing a framework and determining a course of action toward compliance remediation. See the HIPAA Compliance Starter Kit to help you to begin and move through the conversations and initiatives necessary to become confident in your organization’s level of compliance.